Pages

Sunday, January 4, 2026

PAN-OS release plan

Happy New Year 2026.

It has been some time I wanted to write that post about the PAN-OS software release strategy.

Until PAN-OS 10.2

Each supported PAN-OS version released a maintenance release every 2-3 months.

And unless, there was some critical bug passing through QA tests, there was not so many hotfix releases.

To illustrate that, you can check the number of bug fixed in the releases for PAN-OS 9.1.

["version","Nb fixes"],
['9.1.0', 8],
['9.1.1', 21],
['9.1.2', 89],
['9.1.3', 130],
['9.1.4', 72],
['9.1.5', 96],
['9.1.6', 69],
['9.1.7', 60],
['9.1.8', 74],
['9.1.9', 56],
['9.1.10', 110],
['9.1.11', 104],
['9.1.12', 90],
['9.1.13', 36],
['9.1.14', 26],
['9.1.15', 38],
['9.1.16', 50],
['9.1.17', 20],
['9.1.18', 12],
['9.1.19', 3],

In the list above (dumped from the release notes I saved for PAN-OS 9.1), I ignored the hotfix releases.
But you can see each maintenance release received more than 50 fixes until 9.1.13 then it decreased to be less than 50 fixes.
--> if you are still on PAN-OS 9.1, you can consider than after 9.1.13, the version is quite mature now as there are less software issues addressed.

So what has changed since PAN-OS 10.2?

"Service pack" release

["version","Nb fixes"],
['11.1.0', 11],
['11.1.1', 12],
['11.1.2', 16],
['11.1.3', 130],
['11.1.4', 17],
['11.1.5', 312],
['11.1.6', 52],
['11.1.7', 25],
['11.1.8', 246],
['11.1.9', 53],
['11.1.10', 29],
['11.1.11', 247],
['11.1.12', 41],
['11.1.13', 34],
This is the list of the regular maintenance releases.
If you look carefully the number of fixes. You can noticed there are some "service pack" releases : 11.1.5 with 312 fixes, 11.1.8 with 246 fixes and 11.1.11 with 247 fixes. While the other maintenance releases contain up to 50 fixes.

More Hotfix releases

["version","Nb fixes"],
['11.1.0-h1', 1],
['11.1.2-h1', 4],
['11.1.2-h3', 1],
['11.1.3-h1', 2],
['11.1.4-h1', 9],
['11.1.4-h4', 56],
['11.1.4-h9', 47],
['11.1.4-h13', 69],
['11.1.4-h15', 12],
['11.1.4-h16', 1],
['11.1.4-h17', 23],
['11.1.4-h18', 7],
['11.1.4-h25', 14],
['11.1.4-h27', 6],
['11.1.5-h1', 1],
['11.1.6-h1', 61],
['11.1.6-h3', 12],
['11.1.6-h4', 16],
['11.1.6-h5', 1],
['11.1.6-h6', 33],
['11.1.6-h7', 22],
['11.1.6-h10', 48],
['11.1.6-h14', 66],
['11.1.6-h17', 55],
['11.1.6-h19', 17],
['11.1.6-h20', 15],
['11.1.6-h21', 10],
['11.1.6-h22', 1],
['11.1.6-h23', 24],
['11.1.7-h1', 1],
['11.1.7-h2', 137],
['11.1.10-h1', 57],
['11.1.10-h4', 70],
['11.1.10-h5', 27],
['11.1.10-h7', 65],
['11.1.10-h9', 1],
['11.1.10-h10', 32],
With the new release plan, there is also more hotfix releases now.
Keep in mind the PAN-OS releases are still cumulative: 11.1.8 contains all the issues resolved since 11.1.0 until 11.1.8.
Posted by at No comments:
Labels: , ,

Sunday, December 28, 2025

Home PA-450 upgraded to PAN-OS 11.2

My home PA-450 was running on PAN-OS 11.1 since I received it.

Now that PAN-OS 11.2 has reached its 11th release (11.2.0 is the first one, as the date of writing, the last release available is 11.2.10), I think it was time for me to do the move to PAN-OS 11.2.

Among the list of the new features introduced in PAN-OS 11.2, not much for my use case (internet gateway), but I made sure to enable the inline ML inspection.

So far, so good (less than 24h uptime), I am posting this post behind my firewall :)


Posted by at No comments:
Labels: ,

Sunday, December 14, 2025

Palo Alto Networks Network Security Architect ... Passed

Palo Alto Networks has reworked their certification program to be more "role" based.

You can find all the new certifications here.

So you have a track for each main Palo Alto Networks products portfolio:
- Security Operation oriented with Cortex products
- Cloud Security oriented with Prisma Cloud products
- Network Security oriented with Strata products

I took the NetSec NGFW Engineer and the NetSec Analyst, which were more or less covering the PCNSE (Palo Alto Networks certified Networks Security Engineer) earlier this year.

So I wanted to test the NetSec Architect exam, released last October (announcement here).

... and I got a PASS.
Although during the exam, I was not confident until the last question.

This exam is totally different than the NetSec NGFW Engineer and Analyst, it is more "design" oriented in my opinion. Also, a simple NGFW day to day job would not be enough: an understanding of the big picture of the SASE architecture, and how every product fits into this architecture is required.

For the preparation ... just my day to day work in TAC, which let's me honest lack of Prisma Access / Prisma SDWAN experience. 
Positive point: I attended a workshop on Prisma AIRS - runtime protection, the exam requires the candidate to understand the use case of Prisma AIRS vs AI Access, and it helped me in the exam.

Anyway, if I have to prepare it correctly, I would say you need a correct understanding of the different technologies involved in SASE.
Posted by at No comments:
Labels: , ,

Sunday, January 14, 2024

Linkedin "top computer networking voice" badge

This week, I saw I got on my LinkedIn profile the "top computer networking voice" badge.



Is it an achievement?
Actually not really, to get the badge you simply need to answer/comment the automatically generated answers about a question (which is also probably automatically generated).
Of course, you need to answer with relevant answers (to get the comment "liked") but not really rocket science.

Now about this new badge stuff, I was wondering if it was not part of the AI on going trend, Linkedin is part of Microsoft, Microsoft has a partnership with OpenAI (developping ChatGPT) ... and there was this video.


At 0:58, the slide shows the "training pipeline" to get a AI assistant.

So like I wrote earlier, you have automatically generated answers from AI, and you get some human answer, use the how the answers are relevant (based on the number of likes) and use the best answers to improve the train the AI (ChatpGPT).

So the badge is more token for participating in helping the AI to provide better answers than an actual proof of "expertise" as anyone with a LinkedIn ccount could answer.

Anyway, that's always good for my ego.

Posted by at No comments:
Labels:

Sunday, December 31, 2023

Use Hostname to deduce running services

Disclaimer : the information in this article have been disclosed to my current company's Patent Committee in December 2023, but they took the decision not to pursue further with it, nor to keep it as Trade Secret, so this idea remains as a simple idea.
Therefore, I will simply disclose it here, I thought it was a good idea, maybe some people can see some interesting use case of it.
Also, as of today, I am not aware of any product / product feature that is using the idea.

So to understand the idea, let's start with some basics.

We talk about 'semantic' when we are talking about the meaning of a word.

In Computing and more specifically in Networking, this goes up to the bit level : 0 / 1 are distinct value, and they have a meaning (is / is no; true / false). So a bit alone may have a meaning, as a set of bits together.

For instance, the flags in the TCP header.

  TCP Header Format

                                    
    0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Source Port          |       Destination Port        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Sequence Number                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Acknowledgment Number                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data |           |U|A|P|R|S|F|                               |
   | Offset| Reserved  |R|C|S|S|Y|I|            Window             |
   |       |           |G|K|H|T|N|N|                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Checksum            |         Urgent Pointer        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                            TCP Header Format

          Note that one tick mark represents one bit position.

                               Figure 3. (from RFC 793)
For instance, the flag SYN when set to 1, mean the segment is the first segment sent by the host, and more important the sequence number in the header is the starting sequence number.
Another illustration of this semantic: the MAC address, and more specifically the first half of it. Those 3 bytes identify a specific vendor.
Last example I want to discuss in this post, is the IP address. You may have heard of the IP addressing, and with it, you may have some rules : for instance, in a network range, the first available address will be the gateway IP address, the 2nd one is for the active gateway (as a device), and the 3rd one is for the passive gateway (again as a device).
Basically:
x.x.x.1 for the default gateway
x.x.x.2 for the active node
x.x.x.3 for the passive node
All the 3 points are examples of semantic in Networking.
Now, there is a feature on PAN-OS which is allowing users to have some policies based on the IP Semantic : IP Wildcard Objects
The wildcard objects will match IPs meeting the wildcard object condition.
The idea I propose is about the hostname. All objects are defined with a hostname (simpler than to remember the IP address of every machine running on the network). Most of the time, the hostmame is defined following a naming convention, so if you can determine the naming convention or at least identify some key portion in the hostname to link to a running service, that can be saved for other purposes.
So by analysing a firewall configuration:
- we can get some mapping of hostname <-> security rules, for instance you have a security rule to allow dns request to the object "fr-dns-1".
- and by doing for a lot of configuration files, you can then get some trends on hostname portion <-> applications. For instance, when you collect 1000 security rules for DNS traffic to different hostnames, it will appear some characters may be common in most of the hostnames (for instance "dns" in a hostname may indicate the server runs DNS server).
So when some trends (hosntame part which are common for most of the security rule for the same application)  are identified for every application, it is then possible to have consumer services which could benefit from it:
- An AI-Copilot for configuration assistance ("Make a security rule to strictly allow only DNS application to the DNS servers")
- configuration audit, making sure that for all the hostnames found in a configuration, only the required applications are allowed.
- intelligence capabilities, if you collect all the A records, the applications running for all records can be returned.
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)